5 Keys to Build a Successful Disaster Recovery Plan Audit
Do you remember any recent months when some sort of disaster wasn’t happening somewhere in the U.S.? The reality is that disasters seem to be the new normal.
The fact that man-made or natural disasters can strike your business any time means that your disaster recovery plan (DRP)—as much or more than any other business planning effort—could end up being the key to the ongoing survival of your business.
But just having a DRP isn’t enough. It needs to be up-to-date to account for the latest potential threats and business circumstances. In other words, it needs to be a living, breathing document. And one of the best ways to make sure your DRP is current is through annual audits. In our last post, we examined why DRP audits are so important. Now let’s look at five keys to successful DRP audits:
1) Executive support
Since potential return on investment (ROI) often factors heavily into senior management decisions, the value of an up-to-date DRP can be hard to calculate or understand if your team has never had to navigate a business disaster. But the fact is that the cost of doing nothing can be the end of your business. That’s why the relatively small investment in a DRP audit is so valuable. All it takes is one incident for an audit to pay for itself many times over. But without executive buy-in and leadership, DRP efforts will never get the attention and respect they need and deserve in regular business planning. For most types of organizations, best practices involve at least annual DRP audit. A key-benefit of doing regular audits is that they help to level-set management expectations about disaster readiness so they can adjust plans and training as needed.
2) Clear scoping and objectives
Before beginning a DRP audit, you need to carefully consider the importance of the DRP to your organization and how proactively your organization wants to be able to respond to disasters. This will help you make key scoping decisions, including whether or not all departments and/or critical practices should be included in the audit process or whether you simply need to take a broader top-down look at the organization. As part of this scoping effort, be sure to consider accountability and clearly outline who’s accountable for failings or making changes.
It’s also important to set clear objectives to help inform audit processes and your final analysis.
3) Fitting methodology
Your scope and objectives will help you determine how detailed your audit methodology needs to be. At the very least, it’s a good idea to put together a checklist for what you’re going to audit, whether you’re planning a comprehensive audit of each department or a more general DRP checkup. Depending on your objectives, the approach auditors take may vary widely. For example, your company’s approach could involve all or some of the following steps:
- Interviewing all key personnel
- Reviewing records and past plans (especially if there are past losses to consider)
- Evaluating ongoing regulatory compliance
- Considering relationships with outside vendors and how losses in their operations could impact your operations
4) Effective analysis and reporting
The ultimate value an audit delivers will depend largely on how well you present the findings and recommendations. The level of analysis and detail will depend on your initial objectives, so it’s a best practice to begin with objectives so that everyone who reads the report understands your company’s priorities. It can also be helpful to discuss methodology before delving into findings so decision makers can weigh how methodology may have impacted findings and recommendations. Be sure to prioritize any recommendations that come out of the analysis based on importance to ongoing operations and budget realities.
5) Continuous DRP program management
We can’t emphasize enough how a DRP is a living, breathing document, so don’t just put your DRP on a shelf and forget about it once the audit process is over. As you perform audits, consider parts of the plan that may need more frequent [than yearly] updates or consideration and make it part of regular business processes to follow up on those things as needed.
If your team is already stretched thin, a DRP audit may sound like a lot of work. But almost any audit process is better than no review at all, so at the very least review your plan on an annual basis and make sure you are confident it still reflects your organizational needs.